Managing Per-User GUI Apps on NixOS – Best Practices?

memom28702 · June 26, 2025, 11:45am

Hi everyone,

Recently I joined excel course dublin and I’m diving deeper into NixOS and have hit a bit of a snag with per-user GUI applications. My goal is to let multiple users on the same system install and manage their own GUI apps (like VS Code, Firefox, etc.) without interfering with each other or requiring root access. I’ve looked into home-manager and nix-user-chroot, but am unsure of:

Which approach is most robust and future-proof?
How home-manager can cleanly manage GUI environments (especially when combined with desktop sessions)?
Potential pitfalls around sandboxing, permission issues, or binary cache caching when each user customizes packages differently.

If anyone has experience with clean, maintainable per-user GUI setups on NixOS, I’d love to hear your workflow, recommended configurations, or gotchas to watch out for.

rhendric · June 26, 2025, 5:02pm

Some software requires system-level support. Display managers and probably desktop managers need to be defined at the system level. Anything that needs udev rules or PAM configuration or kernel modules (plenty of GUI applications are in this category). Those things get enabled as NixOS options and become available for all users. Linux just isn’t built for these things to be managed by users outside of tech like containers and VMs.

I install everything else (I’d estimate 75–90% of my software, depending on how you count individual GNOME apps) per-user via Home Manager and have no complaints. Even though I run NixOS, I followed the standalone-install instructions for HM so that my user configurations are distinct from my system configuration (can be rolled back, GC’d, etc. separately). Firefox, etc. are all fine when installed like this.

The main gotcha is deciding whether you want everyone to share the same Nixpkgs instance (less store duplication) or have each Home Manager user use its own (more freedom to update Nixpkgs individually). I do the former and update Nixpkgs globally on a timer. (I currently use channels for this—someday I may switch to npins, because many folks seem to be adamant that channels users are missing out on… something… but I have had a good experience with channels for managing my small fleet of machines so far.)

I don’t use flakes and don’t know how flakes would change this analysis.